> For all the commenters here who think that Google and the other major tech companies are somehow less trustworthy than your ISP? Yeah, I just can't agree with those opinions.

Additionally, at least my ISP is doing business in my state/country, so there may be _some_ legal recourse if they screw me too hard.

> I run Unbound and Pi-Hole to do my own recursive resolving.

As documented by Mozilla, I made my network's DNS have use-application-dns.net return NXDOMAIN to opt out.

https://support.mozilla.org/en-US/kb/canary-domain-use-appli...

My unbound config line is:

    local-zone: "use-application-dns.net." static

I am mozillas diehard fan as firefox goes but I DO NOT trust them. I still remember some company with best search engine that got vapirised over the years and I am not prepared to trust anyone. Mozilla has some shady practices with their "research add-ons" and I am blocking their domains from firefox and using another browser to download addons.

And I will surely not allow some firm in a country with vague laws allow to do all my name resolution. Not to mozilla, not to google, not to cloudflare or anyone else (currently running unbind with caching on huge list of DNSs all over EU in random order).

ISP? They are obligated to follow the law in my country. Spying on its user would make it a criminal offense investigation, potentionally bringing their management behind bars. No, they wont even try, it is too dangerous for them.

I trust my ISP way more than mozilla. Based on law in my country. It is not DNS system to change (actually it is but convincing me that adding ssl layer on top of highly efficient protocol is worse than rolling everything trough https and changing all existing systems? I'll pass, sounds like a complex solution for simple non-problem, I am sick of looking on those in last decade), it is a law in YOUR country that allows your ISPs to spy on users and this is something that needs to change.

This is the wrong dichotomy and it's a false one perpetuated by Mozilla.

Users can have end to end encrypted DNS and browsers shouldn't be hijacking it.

To put it another way, you don't want the people who only care about eyeballs (Google, Mozilla, etc.) picking your DNS provider.

My ISP, since I have a contract with them, I can switch to another ISP anytime, and they are bound to lots of data protection laws.

On the other hand, the Mozilla Corporation clearly is desperate to find alternate sources of funding.

Probably the ISP, since it already has a working business model unrelated to selling your DNS query data and doing so is probably illegal in several countries.

I didn't fully understand the cognitive dissonance and Orwellian doublespeak going on in Mozilla until I began researching the jabs n-gate's author embeds into everything he writes concerning the company. Beacons, Google's Safe Browsing lists, etc.: None of those defaults line up the company's actions with its branding.

With Firefox 69, they broke 25% of the internet on Linux with a change to block what they call a MITM attack: Corporations and anti-virus software that add certificates to your computer to decrypt SSL traffic before passing it on to you. That's privacy-focused, I suppose?, but is a confusing change in comparison to more obvious victories such as blocking trackers and fingerprinters by default. Which they will certainly never do... until Google invents a technology that provides the same functionality with a different, less ominous name than "browser fingerprinting."

I was under the impression this work was already underway. https://wiki.mozilla.org/Security/Tor_Uplift

Brave has a better track record and Tor built-in: https://brave.com/

> It's probably a good thing? US ISPs

The world is hella lot bigger than the US.

And Firefox runs in the rest of the world too.

> Enterprise use cases can easily manage this through Group Policy.

That's Windows-only mechanism.

> Households (keep in mind we are only talking about people who knew enough to change DNS settings in the first place) can just change the setting on each of their five or so computers.

And not forget to do that for every new device they get. And after reinstalls. And occasionally just to be sure, as we know how software tends to "forget" user preferences sometimes. That's all only up until Mozillas' telemetry will show, that nobody changes the default anyway, so the preference will be removed entirely.

> And if you are using DNS as parental controls, that's not a great solution as nothing stops someone from getting the IPs out of band (ex. a website that does DNS lookups) and connecting directly to the blocked sites.

For the user, it's more complicated than that. He has to persuade the browser to send the right Host header when connecting to the obtained-out-of-band IP address. If you have rights to modify hosts file, you might change the DNS as well and spare the effort.

> And if you are using DNS as parental controls, that's not a great solution as nothing stops someone from getting the IPs out of band

You are assuming a rather narrow use case for "parental controls". For many people it is less about draconian control and more about not wanting someone (whether a child or the individual themselves) from accidentally stumbling on porn or other unwanted content.

Sure, if all the machines you care about are windows boxes managed with Active Directory. There are ways to configure it on linux and mac too by putting a json file in the firefox installation folder, but it is one more thing IT needs to worry about. I don't know of any IT professional that would be excited at the prospect of having to configure DNS for individual applications.

Gen 1 Chromecasts will not receive any new updates from Google, but will continue to function.

AFAIKT, you can block Google DNS and all your Google Cast devices should fallback to DHCP assigned DNS.

Which model Chromecast do you have?

> The fact that no mainstream consumer OS runs a local recursive resolver should be a clear signal to you that people disagree with you about this; in particular, because doing so eliminates DNS caching, which is something most people want.

Doesn't DoH eliminate caching as well? It means all your queries go out to some server on the internet with perhaps 20-50ms of latency, instead of a local cache potentially on your LAN with <1ms. A DNS cache on the LAN would also merge queries from multiple devices, concealing which device is making the query and in many cases preventing the query from having to be sent over the internet at all.

The best thing might be to have internet gateways run a DNS stub that itself makes queries via DoH/DoT/whatever and then caches them for every device on the LAN. The gateway is typically the DHCP server so it can hand itself out as the DNS and requires no configuration as well. And then it works across all devices and applications.

Running a recursive resolver does protect against one very specific kind of threat: a malicious recursive resolver that has decided to log all of my queries. DoH absolutely does not protect against this specific threat, because it's just a different protocol for speaking to a third-party recursive resolver.

A properly-configured resolver (i.e. one that is doing QNAME minimisation) only reveals a very limited amount of information to each DNS server that it queries. It's akin to the fact that browsing a web site reveals my activity to that site's origin server. I'm not overly concerned about it.

The only threat that DoH protects against is the situation where an adversary is able to observe all of my outbound DNS query traffic. In this very specific scenario (essentially a compromised ISP), then yes, DoH offers better privacy protection. But it's a rather Faustian bargain to make, because in order to receive protection against a malicious ISP, I must instead put my full trust in whomever is operating the DoH resolver. Out of the kettle and into the frying pan, isn't it?

So DoH doesn't solve the problem. It merely lets users transfer their trust from their ISP (with whom they have a legal contractual relationship governed under the laws of their home country) to a large third-party organisation (with whom they do not have a legal contractual relationship).

If it came down to a matter of holding someone to account for a breach of my privacy, I'd sure rather be up against my local ISP as opposed to a faceless global entity such as Google, Cloudflare, or even the Mozilla Foundation.

> no mainstream consumer OS runs a local recursive resolver

I think Windows might do something close. DNS client requests are cached on a per-machine basis through the DnsCache NT service. But I do not think getaddrinfo() and friends talk to that service via DNS, so strictly speaking it is not a recursive DNS server, though the resulting behavior is largely the same as if it were.

You are saying nonsense. Your own DoH server is the same recursive resolver with queries in plaintext on the wire each attributable to your server by whoever is looking. In fact, if you move your DoH server outside of your home, you are roughly doubling amount of parties involved in looking at your metadata, because pretty much none of the metadata is hidden when you just remove DNS queries from your wire and replace it with TLS, but now a whole set of other parties get to see your queries and your TLS connection towards your DoH server with identifiable IP address, likely even recorded and stored for years by more parties.

There are no "wins" with DoH no matter how you look at it.

> Otherwise, we are allowing third parties to become the absolute gatekeepers to the sources of authority for finding an IP address. Caches are not authoritative sources of DNS data.

In theory this is what DNSSEC is meant to provide: cryptographic proof that the cache is giving you unmodified data from the zone's authoritative server(s). Unfortunately... it's still very difficult to run a recursive resolver in a "hardened" configuration that strictly enforces DNSSEC validity, and that's without having a potentially-malicious cache in your query path.

The reality is that most networks blocking port 53 are also entirely unaware of DNSSEC, and in such a situation there's really no hope aside from a full-fledged VPN -- or DoH.

So I think DoH absolutely does have some use cases, such as clients using broken hotel/conference networks and laptops that are temporarily using insecure public WiFi access points. But it doesn't belong anywhere near my own, properly-configured home and work networks.

> By contrast, NextDNS shot up in reliability over past couple months across all kinds of connections

I'm sure they've improved but I was bit by downtime as recently as a week ago. Due to their custom proxy-layer that enables the blacklisting magic, on top what seems like a multi-tenant DNS resolver backed by unbound, their anycast setup, redundant network paths, multi-region server deployments are not going to mitigate downtime due to software bugs. Imo, DNS resolvers must be low latency and zero-downtime, by design.

Adguard, I'm speculating, do not have the complexity that NextDNS does (no multi-tenant smart proxy fronting the actual DNS resolver), and so do have a better chance at getting availability and latency fixed sooner?

> I personally had to give up on Warp+ and even 1.1.1.1 ... due to instability with enterprise, airline, and hotel portals.

I'm curious, what instability? I have faced issues with (free) Warp where it can't / won't bypass government imposed censorship. And streaming apps like Netflix refuse to work.

Not sure that randomizing is going to do anything useful.

Randomizing over three providers will give each of them one third of your requests, but they would just need more time to get a (near) complete list of the domains you resolve. Eg, if you resolve hackernews once a day, they'll each have that information in approximately three days.

yes. And "trusted partner" just means they have preconfigured settings in the drop down. It's also possible to specify a custom DoH provider (or disable DoH).

"Protecting your kids" is often "we log everything and have complete visibility over how people are using our service, and we're willing to share a bit of that with parents to spy on their children". It's a valid concern to have unless there's evidence to the contrary.

I'm not saying that the product doesn't have it's use, but it is not how DoH should work.

I'm trying to bolster the point that they are promoting logs and more importantly, blocking DNS queries.

How can I trust the DoH endpoint if I know they have an active product whose purpose is to log and not give back the requested IP.

> Completely free during the beta, then free up until about 300,000 DNS queries/month — $1.99/month for unlimited queries.

> We may adjust this later on based on actual costs at scale, but it will follow this logic.

>We will accept credit, debit and prepaid cards, PayPal, cryptocurrencies and other popular payment platforms.

In what sense is it troubling? I have never looked at a DNS pricing page before today, but this looks reasonable...